Ensure images are selected using a digest

Error: Images are not selected using a digest

Bridgecrew Policy ID: BC_K8S_39
Checkov Check ID: CKV_K8S_43
Severity: LOW

Images are not selected using a digest

Description

In some cases you may prefer to use a fixed version of an image, rather than update to newer versions. Docker enables you to pull an image by its digest, specifying exactly which version of an image to pull.

Pulling using a digest allows you to “pin” an image to that version, and guarantee that the image you’re using is always the same. Digests also prevent race-conditions; if a new image is pushed while a deploy is in progress, different nodes may be pulling the images at different times, so some nodes have the new image, and some have the old one. Services automatically resolve tags to digests, so you don't need to manually specify a digest.

Fix - Runtime

CLI Command

To make sure the container always uses the same version of the image, you can specify its digest; replace <image-name>:<tag> with <image-name>@<digest> (for example, [email protected]:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2).

The digest uniquely identifies a specific version of the image, so it is never updated by Kubernetes unless you change the digest value.

Fix - Buildtime

Kubernetes

  • Resource: image
  • Argument: digest
apiVersion: v1
kind: Pod
metadata:
  name: <Pod name>
spec:
  containers:
  - name: <container name>
    image: [email protected]:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2
{
      "creator": 7,
      "id": 2110,
      "image_id": null,
      "images": [
        {
          "architecture": "amd64",
          "features": "",
          "variant": null,
+         "digest": "sha256:1ae98b2c895d1ceeba8913ff79f422f005b7f967a311da520a88ac89180b4c39",
          "os": "linux",
          "os_features": "",
          "os_version": null,
          "size": 87342331
        }
      ],
      "last_updated": "2017-04-06T20:16:24.015937Z",
      "last_updater": 2215,
      "last_updater_username": "stackbrew",
      "name": "centos5",
      "repository": 54,
      "full_size": 87342331,
      "v2": true
    }

Did this page help you?